[00:00.000 --> 00:03.200]  And welcome to DEF CON Red Team Village.
[00:03.200 --> 00:05.040]  My name is Giorgio Chies,
[00:05.040 --> 00:06.420]  and this talk is titled
[00:06.420 --> 00:11.900]  Deep Dive into Adversary Emulation, Ransomware Edition.
[00:11.900 --> 00:14.580]  And what we're going to look at is an attack
[00:14.580 --> 00:17.280]  that we saw in July, 2020,
[00:17.280 --> 00:20.460]  against the Garmin organization.
[00:20.460 --> 00:24.240]  It brought all their services down, asking to pay a ransom.
[00:24.240 --> 00:27.460]  The particular adversary that was attributed to this attack
[00:28.280 --> 00:33.440]  is EvoCorp, and they used a ransomware called WastedLocker.
[00:33.440 --> 00:36.260]  So we're going to talk about how we can emulate
[00:37.280 --> 00:39.500]  a ransomware attack against an organization
[00:39.500 --> 00:40.980]  in a professional manner,
[00:40.980 --> 00:45.000]  so that we can test our detective and preventive controls
[00:45.000 --> 00:49.500]  and answer the question that most CISOs want to know.
[00:49.500 --> 00:51.840]  Can this happen to us?
[00:51.840 --> 00:53.280]  I hope you enjoy,
[00:53.280 --> 00:56.160]  and I'm available to answer any questions.
[00:56.500 --> 00:59.300]  As mentioned, my name is Giorgio Chies.
[00:59.300 --> 01:02.620]  I'm the Chief Technology Officer at SITE.
[01:02.620 --> 01:06.500]  I'm also the author of the Purple Team Exercise Framework
[01:06.500 --> 01:08.780]  that we recently released and made available
[01:08.780 --> 01:11.780]  to everyone for free on our website.
[01:11.780 --> 01:17.100]  I co-created the C2 matrix with Bryson Bort and Adam Mash,
[01:17.500 --> 01:20.740]  and it is a framework of various different
[01:20.740 --> 01:21.960]  command and control frameworks
[01:21.960 --> 01:25.320]  with their capabilities and their features.
[01:25.320 --> 01:28.300]  We'll cover that a little bit in this deck.
[01:28.720 --> 01:30.320]  Before joining SITE,
[01:30.320 --> 01:32.940]  I worked at Citigroup for 10 years
[01:32.940 --> 01:34.880]  running the offensive security team.
[01:34.880 --> 01:37.680]  I started as a vulnerability assessment analyst,
[01:37.680 --> 01:40.040]  then introduced penetration testing,
[01:40.040 --> 01:43.220]  and eventually created the Red Team about five years ago.
[01:43.220 --> 01:45.300]  We then created a Purple Team function
[01:45.300 --> 01:49.620]  and began doing adversary emulations across the globe
[01:49.620 --> 01:52.040]  and working with various regulators,
[01:52.040 --> 01:55.480]  which led to the creation of a global framework
[01:55.480 --> 01:57.840]  with the Global Financial Markets Association
[01:57.840 --> 02:01.400]  titled Threat-Led Penetration Testing.
[02:01.460 --> 02:03.800]  So we'll cover a lot of that here as well.
[02:03.800 --> 02:05.400]  That's also a free framework.
[02:05.400 --> 02:06.620]  I teach for SANS.
[02:06.620 --> 02:09.340]  I've taught for SANS for the past 10 years,
[02:09.340 --> 02:11.020]  mostly the pen test curriculum
[02:11.020 --> 02:13.060]  and also some of the cloud courses.
[02:13.060 --> 02:17.780]  But if you've ever taken or have the GCIH or the GPEN,
[02:17.780 --> 02:18.840]  shout out to you.
[02:18.840 --> 02:22.040]  I also have a two-day Red Team exercise
[02:22.040 --> 02:24.460]  and adversary emulation course.
[02:24.460 --> 02:28.260]  While at Citi, I was part of the CVSS working group
[02:28.260 --> 02:29.360]  and I was a voting member
[02:29.360 --> 02:32.720]  where we released version 3 and 3.1.
[02:32.840 --> 02:34.060]  Version 4 is in the works
[02:34.060 --> 02:37.100]  and I'm also working on another working group now
[02:37.100 --> 02:39.500]  as I'm no longer a voting member of CVSS
[02:40.120 --> 02:44.420]  on what's called the Exploit Predictability Scoring System.
[02:44.420 --> 02:47.120]  We're trying to identify what vulnerabilities
[02:47.120 --> 02:50.320]  will be exploited versus ones that will not,
[02:50.320 --> 02:52.780]  even if they have similar CVSS scores.
[02:52.780 --> 02:54.740]  It's a very interesting project.
[02:54.740 --> 02:56.660]  And if you'd like to join,
[02:56.660 --> 02:59.780]  it is a working group as part of FIRST as well.
[02:59.940 --> 03:03.440]  I really believe in ISSA and giving back to the community.
[03:03.440 --> 03:06.380]  ISSA is the Information Systems Security Association.
[03:06.380 --> 03:08.940]  They might have a chapter in your location.
[03:08.940 --> 03:09.920]  Definitely go out.
[03:09.920 --> 03:13.900]  I actually found two of my jobs before working at Citi.
[03:13.900 --> 03:17.080]  I worked at Terramark in a security operations center,
[03:17.080 --> 03:21.420]  found that job through there as well as my job at Citi.
[03:21.420 --> 03:25.020]  So definitely network and give back to the community.
[03:25.020 --> 03:29.000]  Long, long ago, I wrote a book on Windows 7.
[03:29.000 --> 03:30.920]  So I am a published author.
[03:31.200 --> 03:33.940]  Hopefully no one's using that operating system.
[03:34.220 --> 03:36.640]  So here's our agenda for today.
[03:36.640 --> 03:38.300]  We're going to cover some definitions
[03:38.300 --> 03:40.980]  because as any red team talk,
[03:40.980 --> 03:43.580]  we have to argue about definitions
[03:44.060 --> 03:47.640]  and really want to use the same language in the industry
[03:47.640 --> 03:50.180]  and hopefully help the industry use the same language.
[03:50.180 --> 03:52.360]  So we're going to cover things like red teaming,
[03:52.360 --> 03:54.440]  purple teaming, and adversary emulation.
[03:54.440 --> 03:56.960]  Then we're going to talk about ransomware.
[03:57.040 --> 04:00.100]  And ransomware is something that we've all heard about.
[04:00.100 --> 04:04.080]  And while many of us find this annoying and not sophisticated,
[04:04.080 --> 04:07.160]  we're actually seeing an uptick in the sophistication level
[04:07.160 --> 04:10.040]  where it isn't just about gaining initial access
[04:10.040 --> 04:12.940]  and impacting the target systems,
[04:12.940 --> 04:14.820]  but it also involves moving laterally
[04:14.820 --> 04:19.420]  and exfiltrating information prior to requesting a ransom.
[04:19.740 --> 04:22.220]  So we're going to cover our usual steps
[04:22.220 --> 04:24.740]  when we talk about adversary emulation,
[04:24.740 --> 04:26.600]  starting with cyber threat intelligence.
[04:26.600 --> 04:28.820]  We want to learn about various attacks.
[04:28.820 --> 04:32.180]  In this case, we're going to talk about Garmin and Evil Corp
[04:32.180 --> 04:37.060]  using a piece of malware called Wasted Locker.
[04:37.060 --> 04:40.060]  It's the attack that affected Garmin in July 2020.
[04:40.060 --> 04:41.820]  We're going to understand that attack.
[04:41.820 --> 04:45.000]  We're going to create an adversary emulation plan around it.
[04:45.000 --> 04:48.040]  Then we're going to perform it. So it should be a lot of fun.
[04:48.040 --> 04:51.380]  Then, of course, we're going to talk about defending against ransomware.
[04:51.380 --> 04:54.500]  Now, the first thing I want to cover is definitions.
[04:54.500 --> 04:57.640]  And we published this ethical hacking maturity model
[04:57.640 --> 05:01.740]  to kind of show a blueprint of how many organizations
[05:02.180 --> 05:04.960]  are maturing in their offensive security.
[05:04.960 --> 05:08.440]  Now, this doesn't mean that every organization is the same.
[05:08.440 --> 05:10.380]  This is really based on my experiences
[05:10.380 --> 05:14.160]  and on experiences of organizations I've talked to,
[05:14.160 --> 05:17.040]  whether they're SANS students or other people in the industry
[05:17.040 --> 05:20.480]  that have asked about this particular subject.
[05:20.520 --> 05:25.280]  So most organizations start over on the left side with vulnerability scanning.
[05:25.280 --> 05:29.920]  Here's where you run a scan against an IP or a web app,
[05:29.920 --> 05:34.640]  and you get back a list of vulnerabilities based on signatures.
[05:34.640 --> 05:38.820]  Vulnerability assessment is when you look at the output of that vulnerability scan
[05:38.820 --> 05:41.580]  and you give it a real risk rating,
[05:41.580 --> 05:44.620]  where you actually calculate if the risk is there,
[05:44.620 --> 05:46.620]  you verify the vulnerability,
[05:46.620 --> 05:49.860]  and you prioritize what needs to get fixed.
[05:50.360 --> 05:55.120]  Penetration testing then involves the exploitation of vulnerabilities.
[05:55.120 --> 05:56.640]  And this can involve finding vulnerabilities
[05:57.060 --> 06:00.720]  that the vendor didn't know about, where we call those ODAs,
[06:00.720 --> 06:03.560]  or it could also mean gaining access to a target system
[06:03.560 --> 06:08.260]  and learning and really calculating that business risk.
[06:08.320 --> 06:12.240]  Unfortunately, in the industry, pen testing got very scoped down.
[06:12.240 --> 06:15.300]  We weren't allowed to move laterally to other hosts.
[06:15.300 --> 06:19.020]  We weren't allowed to do social engineering and things like that.
[06:19.020 --> 06:21.300]  And that's where the red team came in.
[06:21.320 --> 06:24.820]  The red team started testing people, process, and technology.
[06:25.260 --> 06:29.980]  Purple teaming is where we work together, the red team with the blue team.
[06:29.980 --> 06:35.920]  And adversary emulation is a cyber threat intelligence-led assessment,
[06:35.920 --> 06:37.680]  generally carried out by the red team.
[06:37.680 --> 06:41.300]  And it can be a full knowledge or zero knowledge assessment,
[06:41.300 --> 06:44.400]  in which case it would be a purple team or a red team engagement.
[06:44.400 --> 06:47.820]  Now, as I mentioned, these don't necessarily mean
[06:47.820 --> 06:51.780]  that it's the steps you must take to get to where you want to go.
[06:51.780 --> 06:55.320]  This is just an example that you can use with your senior management
[06:55.320 --> 06:58.680]  to explain to them how your organization has matured.
[06:58.680 --> 07:04.100]  There is an arrow there at the end, which means that I'm sure this will continue to evolve.
[07:04.160 --> 07:06.060]  Every organization is different.
[07:06.340 --> 07:08.700]  And of course, don't stop doing the previous step.
[07:08.700 --> 07:11.180]  Just because you're doing red team and purple team engagements
[07:11.180 --> 07:14.780]  doesn't mean you're not doing vulnerability scanning anymore.
[07:14.780 --> 07:18.060]  There's an entire article on this if you'd like to read more about it.
[07:18.080 --> 07:21.380]  The reason we're here is to talk about adversary emulation.
[07:21.380 --> 07:25.040]  And that can be defined as a type of red team exercise.
[07:25.040 --> 07:27.500]  There's many different types of red team engagements.
[07:27.500 --> 07:29.460]  This is one of those types.
[07:29.460 --> 07:34.200]  And in this type, we are going to emulate adversary tactics,
[07:34.200 --> 07:37.100]  techniques, and procedures or adversary behavior.
[07:37.100 --> 07:41.520]  We understand those behaviors by leveraging cyber threat intelligence.
[07:41.520 --> 07:45.260]  And just like the malicious actors, we're going to have an objective,
[07:45.620 --> 07:49.900]  which would be very similar to objective of that actor.
[07:49.940 --> 07:54.500]  So in this case, we are putting TTPs together in an attack chain
[07:55.060 --> 07:57.900]  for testing of these various scenarios.
[07:57.900 --> 08:01.480]  And it's really going to answer the question if the target organization
[08:01.480 --> 08:05.100]  is ready for a real sophisticated attack.
[08:05.100 --> 08:07.680]  Most of the time, the effort here is manual.
[08:07.680 --> 08:08.800]  There are a number of tools.
[08:08.800 --> 08:12.720]  There's some automation that you can build around doing TTPs.
[08:12.720 --> 08:14.560]  My company site does some of this.
[08:14.560 --> 08:16.520]  So we'll cover that a little later.
[08:16.800 --> 08:21.820]  But it's mostly manual because you can't really automate an entire red team, right?
[08:21.820 --> 08:24.920]  You actually need people, which is very important.
[08:25.040 --> 08:29.100]  So as I mentioned, adversary manipulation is a type of red team exercise.
[08:29.100 --> 08:30.700]  There's different types.
[08:30.700 --> 08:35.640]  And a red team can be defined as the practice of looking at a problem or situation
[08:35.640 --> 08:40.120]  from the perspective of an adversary, which means that you can do a lot with that.
[08:40.120 --> 08:41.560]  It could be physical pen testing.
[08:41.560 --> 08:46.220]  It could be doing phishing simulations for awareness training,
[08:46.220 --> 08:49.980]  or it could be testing one or creating a new TTP.
[08:49.980 --> 08:53.500]  In this case, we're going to talk about adversary manipulation,
[08:53.500 --> 08:57.040]  but we want to differentiate the whole red team from pen testing.
[08:57.040 --> 09:01.760]  For example, in a pen test, you're generally finding and attacking preventive controls,
[09:01.760 --> 09:06.100]  the lack of patching, or maybe you found a vulnerability that the vendor doesn't know about.
[09:06.100 --> 09:08.700]  In red teaming, our goals are different.
[09:08.700 --> 09:12.600]  Our goals are to make the blue team better, to train,
[09:12.600 --> 09:18.720]  to test and measure people, process, and technology, and to test assumptions.
[09:18.720 --> 09:21.520]  The effort here, as I mentioned, is pretty manual.
[09:21.520 --> 09:25.580]  There's a lot of tools, so we'll cover some of those in the C2 matrix and this talk.
[09:25.580 --> 09:28.820]  And the frequency is really based on intelligence.
[09:28.820 --> 09:34.660]  I'm sure many of you this week heard about Black Hat and DEF CON and saw some new techniques,
[09:34.660 --> 09:39.620]  so we might want to be testing those out as soon as we're back at the office.
[09:39.640 --> 09:41.760]  The frequency really depends.
[09:41.760 --> 09:45.160]  We are seeing red team engagements being required by various regulators,
[09:45.160 --> 09:47.600]  and the customer here is the blue team.
[09:47.600 --> 09:50.560]  We want to work with the blue team.
[09:50.960 --> 09:55.080]  Now, there is a difference between internal and external teams.
[09:55.080 --> 09:57.820]  Internal red teams will do an engagement,
[09:57.820 --> 10:01.100]  and then they might have to repeat that engagement multiple times
[10:01.100 --> 10:04.600]  to ensure that the operations teams and the blue teams are trained
[10:04.600 --> 10:07.700]  and have the right detections in place.
[10:07.960 --> 10:10.420]  That means that they have to do a lot of retesting.
[10:10.420 --> 10:12.040]  They might not like that.
[10:12.040 --> 10:13.520]  They're also privileged.
[10:13.520 --> 10:14.820]  They're insiders.
[10:14.820 --> 10:16.320]  They have information.
[10:16.320 --> 10:19.620]  They've probably done other red team engagements and exercises,
[10:19.620 --> 10:22.400]  so they know what works and what doesn't work.
[10:22.400 --> 10:27.420]  So really, internal red teams should be seen more as a sparring partner to the blue team.
[10:27.420 --> 10:30.060]  They should have collaboration and get along.
[10:30.120 --> 10:32.260]  External teams are a little different.
[10:32.260 --> 10:34.340]  They offer a different perspective.
[10:34.340 --> 10:37.900]  Since they're coming from the outside, they don't have that insider knowledge.
[10:37.900 --> 10:41.280]  They'll be able to emulate an external malicious actor
[10:41.280 --> 10:44.240]  by performing and doing things like reconnaissance
[10:44.240 --> 10:46.600]  and learning more and seeing what's out there
[10:46.600 --> 10:50.340]  to see if they can breach that perimeter or get internal access.
[10:50.340 --> 10:53.620]  There's other types, though, where external teams could be brought in
[10:53.620 --> 10:55.400]  in an assumed breach perspective.
[10:55.400 --> 10:57.380]  We'll talk about that a little bit more.
[10:57.380 --> 11:00.460]  And these are mostly snapshot engagements, right?
[11:00.460 --> 11:02.020]  They come in once a year.
[11:02.020 --> 11:03.420]  They do the test.
[11:03.420 --> 11:04.640]  They leave a report.
[11:04.640 --> 11:07.520]  Maybe they do a red team reveal or a replay.
[11:07.720 --> 11:10.580]  And then they don't come back for at least a year.
[11:10.580 --> 11:14.920]  So it's very snapshot and point in time oriented.
[11:14.920 --> 11:19.700]  So why don't we move towards a purple team, especially for those internal teams?
[11:19.700 --> 11:22.060]  Your job is to make the blue team better,
[11:22.060 --> 11:26.040]  to test and measure and improve people, process and technology.
[11:26.040 --> 11:30.200]  You don't have to do these zero knowledge engagements all the time.
[11:30.200 --> 11:32.760]  You might only have to do it maybe every three months
[11:32.760 --> 11:35.320]  or every six months or once a year.
[11:35.320 --> 11:38.540]  The rest of the time, you can spend it in a purple team fashion,
[11:38.540 --> 11:41.620]  working and collaborating with the blue team.
[11:41.620 --> 11:46.540]  It is an efficient way of doing a lot of these adversary emulations.
[11:46.540 --> 11:48.260]  So what is a purple team?
[11:48.260 --> 11:50.940]  A purple team is a virtual or functional team
[11:50.940 --> 11:53.940]  where various teams actually come together and collaborate
[11:53.940 --> 11:57.980]  to improve the defensive security posture in a method
[11:57.980 --> 12:05.720]  that is more efficient than your standard red team engagement that results in a report.
[12:05.720 --> 12:11.220]  Here, we use cyber threat intelligence to understand a malicious threat actor.
[12:11.220 --> 12:12.960]  Generally, this team could be internal,
[12:12.960 --> 12:15.840]  in which case it would have a lot of insider information
[12:15.840 --> 12:17.980]  and really understand the target organization,
[12:17.980 --> 12:20.900]  or it can be an external cyber threat intelligence team.
[12:20.900 --> 12:23.340]  But the point is that they would provide a threat actor
[12:23.340 --> 12:29.400]  that has the capability, the intent and the opportunity to attack that organization.
[12:29.820 --> 12:35.560]  Then the red team consumes this information and creates an adversary emulation plan.
[12:35.720 --> 12:37.700]  You then tabletop this.
[12:37.700 --> 12:40.880]  You have a discussion with all the parties involved.
[12:40.880 --> 12:44.020]  The blue team can be the security operations center,
[12:44.180 --> 12:46.040]  a managed security service provider,
[12:46.260 --> 12:51.380]  a hunt team, or an incident response team, digital forensics, right?
[12:51.380 --> 12:53.260]  All of those are part of the blue team.
[12:53.260 --> 12:54.840]  You have this tabletop and you say,
[12:54.840 --> 13:00.860]  for these particular TTPs, this is our expected defenses.
[13:00.860 --> 13:02.640]  And then you emulate that.
[13:02.640 --> 13:05.040]  Red team shows the blue team what they're doing.
[13:05.040 --> 13:05.980]  They emulate it.
[13:05.980 --> 13:07.800]  It's a full knowledge engagement.
[13:07.860 --> 13:10.660]  The blue team will then go and look for indicators of compromise
[13:10.660 --> 13:13.160]  or indicators of this behavior.
[13:13.460 --> 13:15.880]  And then both teams work together to say,
[13:15.880 --> 13:19.020]  okay, we believe that this is good enough detection,
[13:19.020 --> 13:23.280]  or we can improve this detection by tuning these various tools.
[13:23.720 --> 13:27.520]  And then you repeat that over and over for various different TTPs.
[13:27.520 --> 13:29.600]  You can repeat that to train people.
[13:29.600 --> 13:32.060]  You can ensure that the processes are working.
[13:32.060 --> 13:37.300]  A handoff between a security operation center analyst to a level two analyst
[13:37.300 --> 13:41.960]  or to an incident response person all works efficiently.
[13:41.960 --> 13:44.940]  And of course, you're also tuning your technology.
[13:46.180 --> 13:48.260]  Did you say purple?
[13:48.260 --> 13:50.700]  And yes, purple is very hot right now.
[13:50.700 --> 13:52.520]  And it's because of the efficiencies.
[13:52.520 --> 13:56.540]  Now, anything we do in offensive is to bring business value.
[13:56.540 --> 13:58.740]  So regardless of what you're calling this,
[13:58.740 --> 14:01.260]  if it's a red team engagement with no knowledge
[14:01.260 --> 14:06.080]  or a purple team engagement, we always want to bring business value.
[14:07.620 --> 14:11.780]  So as usual, we start with frameworks and methodologies.
[14:11.780 --> 14:14.020]  And that's very important for us,
[14:14.020 --> 14:17.340]  because if you're going to sell doing an adversary emulation,
[14:17.340 --> 14:20.460]  especially a ransomware one to your organization,
[14:20.460 --> 14:22.280]  you better have a good plan.
[14:22.280 --> 14:26.060]  And one of the things that does that is a framework and a methodology.
[14:26.060 --> 14:28.940]  Now, one of the ones that we recently released through Scythe
[14:28.940 --> 14:31.560]  is the purple team exercise framework.
[14:31.560 --> 14:33.960]  This covers cyber threat intelligence,
[14:33.960 --> 14:35.520]  covers sponsorships,
[14:35.520 --> 14:40.780]  covers getting the people in the process and getting everything ready for that exercise.
[14:40.780 --> 14:43.760]  And you can see over here on the right, kind of the life cycle there.
[14:43.760 --> 14:45.500]  We start with cyber threat intelligence,
[14:45.500 --> 14:46.940]  we do preparation,
[14:46.940 --> 14:49.600]  we execute the exercise,
[14:49.600 --> 14:51.860]  and then we have lessons learned.
[14:51.860 --> 14:55.560]  There's a number of different methodologies that you can use.
[14:55.560 --> 14:59.040]  One of the original ones was the Cyber Kill Chain by Lockheed Martin,
[14:59.040 --> 15:03.420]  which was seven steps showing senior management kind of how an attack works.
[15:03.420 --> 15:04.760]  That has matured.
[15:04.760 --> 15:07.420]  Paul Poles came out with the Unified Cyber Kill Chain,
[15:07.420 --> 15:09.060]  which goes way more in depth.
[15:09.060 --> 15:11.240]  Really like that one and shout out to Paul.
[15:11.400 --> 15:15.280]  And then we have financials that have a number of different regulations.
[15:15.280 --> 15:17.500]  The Bank of England has CBEST,
[15:17.500 --> 15:19.860]  the European Central Bank, the ECB,
[15:19.860 --> 15:21.300]  has Tiber EU,
[15:21.300 --> 15:24.620]  which is threat intelligence based ethical red teaming.
[15:24.620 --> 15:28.920]  The Monetary Authority of Singapore and the Association of Banks of Singapore have
[15:28.920 --> 15:32.280]  red team adversarial tax simulation exercises.
[15:32.320 --> 15:38.180]  Hong Kong Monetary Authority has the intelligence-led cyber attack simulation testing.
[15:38.180 --> 15:43.220]  And then we all came together and I was a co-author with the Global Financial Markets Association
[15:43.640 --> 15:48.800]  to create a framework for the regulatory use of pen testing in the financial services industry.
[15:48.800 --> 15:51.920]  So there's many frameworks out there that you can use and leverage
[15:51.920 --> 15:54.160]  that are free and open source.
[15:54.160 --> 15:58.960]  Pick one and use that one, that way you can show that you are a professional.
[15:58.960 --> 16:02.220]  And then for testing, of course, we're going to use MITRE ATT&CK,
[16:02.220 --> 16:07.080]  which stands for adversaries, tactics, techniques, and common knowledge.
[16:07.080 --> 16:09.840]  And it really is a common knowledge or common language
[16:09.840 --> 16:12.240]  that allows the cyber threat intelligence team
[16:12.240 --> 16:15.880]  to work with the blue team, the incident response teams,
[16:15.880 --> 16:19.160]  and the red teams all speaking the same language.
[16:19.160 --> 16:21.400]  So as something occurs in the wild,
[16:21.400 --> 16:25.600]  something like Garmin hack, which we'll cover right now,
[16:25.600 --> 16:29.900]  the forensics team goes in there, understands what happens,
[16:29.900 --> 16:32.160]  and then they give us cyber threat intelligence.
[16:32.160 --> 16:35.480]  The cyber threat intelligence team will create these reports,
[16:35.480 --> 16:40.040]  which we will then consume, and then we can map all these back to MITRE ATT&CK.
[16:40.040 --> 16:42.700]  And of course, everyone's seen the MITRE ATT&CK framework.
[16:42.700 --> 16:46.760]  On the top, we have our tactics. Those are the adversary goals.
[16:46.760 --> 16:50.820]  Under those, we have our techniques, which now have sub-techniques,
[16:50.820 --> 16:55.140]  and also procedures. And the procedure level is the lowest level you can get.
[16:55.140 --> 16:58.100]  So it's very good to use frameworks like these.
[16:59.720 --> 17:02.300]  In this case, we're going to talk about ransomware.
[17:02.300 --> 17:06.940]  And there is a particular tactic that covers ransomware,
[17:06.940 --> 17:11.880]  and that's called the impact tactic. It's TA0040.
[17:11.920 --> 17:16.860]  According to MITRE, that impact is the adversaries trying to manipulate,
[17:16.860 --> 17:19.380]  interpret, or destroy your system and data.
[17:19.380 --> 17:23.620]  So really, it's trying to disrupt availability or compromise integrity
[17:24.340 --> 17:27.140]  by destroying and tampering your data.
[17:27.140 --> 17:32.380]  So generally, this is used to achieve that end goal.
[17:32.380 --> 17:36.740]  And over here on the right, you have an example of just some of the techniques and sub-techniques.
[17:36.740 --> 17:38.940]  So data manipulation would be the technique.
[17:38.940 --> 17:41.020]  And then you have stored data manipulation,
[17:41.020 --> 17:44.960]  transmitted data manipulation, and runtime data manipulation as sub-techniques.
[17:44.960 --> 17:48.440]  You can then click on those and see procedures for different ones.
[17:48.440 --> 17:51.120]  But this is really one of the main objectives,
[17:51.120 --> 17:56.120]  is to impact the system to then, in ransomware, request money
[17:56.800 --> 18:00.420]  for that particular access back to your systems.
[18:01.420 --> 18:04.340]  So let's talk about ransomware.
[18:04.560 --> 18:10.860]  Generally, what we see is threat actors trying to go out and get initial access
[18:10.860 --> 18:15.040]  to a target system or network, and then encrypt files.
[18:15.040 --> 18:17.760]  And if you want those files back, you have to pay a ransom.
[18:17.760 --> 18:24.640]  So a lot of this is very opportunist, in that it's a drive-by type of compromise.
[18:24.640 --> 18:28.760]  Anyone in your organization visits a webpage, whether they clicked on it,
[18:28.760 --> 18:34.820]  or they got there through links or whatnot, and that tries to compromise their system.
[18:34.820 --> 18:40.220]  From there, the malware will try to run and encrypt files.
[18:40.220 --> 18:43.420]  Now, we're seeing three different methods of encrypting files.
[18:43.420 --> 18:48.300]  One is reading the file and create an encrypted version of that file,
[18:48.300 --> 18:51.740]  replacing the original file with the encrypted one.
[18:51.740 --> 18:55.480]  The other one uses raw disk access for encryption.
[18:56.120 --> 19:00.800]  And then the third one is open the file and then encrypt the contents of the file,
[19:00.800 --> 19:03.000]  and then save the file itself.
[19:03.000 --> 19:05.260]  So different ways of doing this.
[19:05.260 --> 19:08.960]  Sometimes we see organizations stealing those files.
[19:08.960 --> 19:10.480]  Not all of them steal it.
[19:10.480 --> 19:15.000]  You get on the target system, you encrypt the files, you steal them,
[19:15.000 --> 19:17.260]  and then you post the ransom note.
[19:17.580 --> 19:19.140]  So some of those do that.
[19:19.140 --> 19:22.620]  And then, of course, they download some sort of ransom note saying,
[19:22.620 --> 19:27.560]  now you need to pay if you want access to your files.
[19:27.560 --> 19:33.700]  And of course, the main actor's goal and objective here is to get paid,
[19:33.700 --> 19:37.300]  get money, generally in some sort of cryptocurrency.
[19:38.140 --> 19:40.640]  So let's talk about Garmin.
[19:40.640 --> 19:46.560]  On July 22nd, a lot of folks started posting that they could not connect to Garmin.
[19:46.560 --> 19:49.400]  Garmin is a company that specializes in GPS.
[19:49.940 --> 19:55.860]  They also have fitness trackers and a number of other services, as you can see on the screen.
[19:55.960 --> 20:01.660]  And all that Garmin was saying is that they're currently experiencing an outage.
[20:01.660 --> 20:04.940]  Now, this outage lasted a number of days.
[20:04.940 --> 20:08.400]  Rumors started going around that this was ransomware.
[20:08.720 --> 20:10.380]  And now, by the time you're watching this,
[20:10.380 --> 20:14.220]  we obviously have quite a bit of information about this that we're going to go over.
[20:14.220 --> 20:18.300]  But you can see here on the right, a lot of services were down.
[20:18.300 --> 20:21.840]  One that was quite interesting is FlyGarmin.
[20:21.840 --> 20:26.800]  So a number of planes actually use Garmin devices for their tracking and their GPS,
[20:26.800 --> 20:31.680]  and those planes would not be able to fly because they didn't have tracking.
[20:31.680 --> 20:36.000]  You can see here, it definitely impacted a lot of people.
[20:36.000 --> 20:37.660]  It was a global outage.
[20:37.660 --> 20:42.760]  So given the timeliness of this, this is the malicious organization
[20:43.260 --> 20:45.120]  that we are going to learn from.
[20:45.120 --> 20:51.700]  We have learned now that the malicious actor is in a threat group called EvilCorp.
[20:51.700 --> 20:58.880]  And in this particular case, they used a ransomware malware known as WastedLocker.
[20:58.880 --> 21:01.660]  So let's learn a little bit about this.
[21:01.680 --> 21:05.880]  So EvilCorp, and in this particular attack,
[21:05.880 --> 21:11.540]  would first get initial access through drive-by sites.
[21:11.540 --> 21:15.300]  That means they compromised a legitimate website first,
[21:15.300 --> 21:19.660]  and whenever anyone visited this particular website,
[21:19.660 --> 21:22.120]  they would download SockGalish.
[21:22.280 --> 21:26.920]  And that would trigger a number of different actions.
[21:26.920 --> 21:30.160]  So in this case, and we're thinking from a red team perspective,
[21:30.160 --> 21:34.500]  we won't be able to emulate this particular TTP
[21:34.500 --> 21:38.840]  because we're not going to have permission to compromise a third party.
[21:38.840 --> 21:42.120]  So in this case, we will have to simulate what happens
[21:42.120 --> 21:47.200]  and get that initial access through some other method.
[21:47.380 --> 21:52.440]  And then once SockGalish ran, it is a zip file with malicious JavaScript
[21:52.440 --> 21:55.880]  that was masquerading as a browser update.
[21:55.880 --> 21:58.520]  That's another TTP in MITRE ATT&CK.
[21:58.520 --> 22:02.840]  Then a second JavaScript file would profile the computer
[22:02.840 --> 22:05.860]  to see where it was, gain some situational awareness,
[22:05.860 --> 22:09.280]  and then it used PowerShell to download additional
[22:09.280 --> 22:12.820]  discovery-related PowerShell scripts like PowerView,
[22:12.820 --> 22:14.820]  which we've heard quite a bit about.
[22:14.820 --> 22:17.980]  It's a free script that you can get straight from GitHub.
[22:18.480 --> 22:22.900]  Then once the attacker had access to execute PowerShell,
[22:22.900 --> 22:28.100]  they gained network access and would drop a Cobalt strike malware.
[22:28.100 --> 22:30.900]  Cobalt strike is a command and control framework,
[22:30.900 --> 22:33.340]  which we'll cover here or we'll actually demo it
[22:33.340 --> 22:35.700]  because we're going to emulate all of this.
[22:35.700 --> 22:39.320]  And unfortunately, Cobalt strike has been used by malicious threat actors before
[22:39.320 --> 22:42.320]  because an early version of it was leaked.
[22:42.340 --> 22:45.580]  With a Cobalt strike command and control established,
[22:45.580 --> 22:51.000]  then they lived off the land to do some things like steal credentials,
[22:51.000 --> 22:53.940]  escalate privileges, and move laterally.
[22:53.940 --> 22:57.660]  So there's a more sophisticated threat actor that doesn't just get on one system
[22:57.660 --> 22:59.360]  and drops the ransomware.
[22:59.360 --> 23:06.640]  It was moving laterally up until the point where it would deploy the WastedLocker ransomware.
[23:06.640 --> 23:11.560]  So EvilCorp is the adversary and the WastedLocker is the ransomware
[23:11.560 --> 23:15.440]  that would actually encrypt the files and request the ransom.
[23:16.040 --> 23:20.300]  So PowerShell was used to download and execute a loader from a domain
[23:20.300 --> 23:25.740]  that was publicly reported to be delivering Cobalt strike as part of these attacks.
[23:25.740 --> 23:28.260]  And then injected a payload.
[23:28.380 --> 23:32.700]  In this case, Cobalt strike uses its payload, it's called a beacon,
[23:32.700 --> 23:35.020]  and that is used to execute commands.
[23:35.020 --> 23:38.980]  It injects into other processes, it elevates the privilege,
[23:38.980 --> 23:41.860]  and then it could upload and download other files,
[23:41.860 --> 23:46.280]  in which case it would do that for this particular malware.
[23:46.700 --> 23:50.920]  The privilege escalation, this particular attack against Garmin
[23:50.920 --> 23:54.700]  seemed to be with the software licensing user interface tool,
[23:54.700 --> 23:58.420]  which is a command line tool that comes with the operating system.
[23:58.420 --> 24:02.960]  We call these living off the land because it's a tool that's already there.
[24:02.960 --> 24:05.820]  They would use that to escalate privileges.
[24:06.480 --> 24:09.820]  Then we've learned as well from the cyber threat intelligence
[24:09.820 --> 24:12.180]  that the attackers would use WMI,
[24:12.180 --> 24:15.980]  which is Windows Management Instrumentation Command Line Utility.
[24:15.980 --> 24:18.080]  This is also a living off the land tool.
[24:18.080 --> 24:22.200]  It comes with all versions of Windows to execute commands on remote computers,
[24:22.200 --> 24:26.940]  such as adding new users or executing additional PowerShell.
[24:27.340 --> 24:30.400]  Then the attackers launched a legitimate command line tool
[24:30.400 --> 24:33.820]  for managing Windows Defender to disable Defender
[24:33.820 --> 24:36.120]  and the scanning of new files
[24:36.120 --> 24:39.520]  in the event that this malware they were using would get caught,
[24:39.520 --> 24:41.860]  they would disable this part.
[24:41.860 --> 24:43.980]  That's another MITRE ATT&CK TTP.
[24:44.720 --> 24:48.840]  And then lastly, they would use PSXSEC to move laterally
[24:48.840 --> 24:52.760]  and deploy the WastedLocker ransomware,
[24:52.760 --> 24:57.740]  which begins the encryption process and would also delete the shadow volume.
[24:57.740 --> 25:04.080]  So all of this is cyber threat intel that we have pulled together for emulation.
[25:04.560 --> 25:06.940]  This is what WastedLocker look like.
[25:06.940 --> 25:11.960]  It is interesting because it creates a file.
[25:12.000 --> 25:16.860]  The encrypted file is called the particular file name
[25:16.860 --> 25:21.740]  and then the extension had the organization name and wasted at the end.
[25:21.740 --> 25:26.820]  And then it would get a ransomware note that was a text file
[25:26.820 --> 25:30.660]  and then it would be called wasted underscore info.
[25:30.660 --> 25:32.760]  And here you could see this particular message.
[25:32.760 --> 25:37.300]  So all of this is important for us as we plan what we're going to do.
[25:37.500 --> 25:43.760]  Now, none of the cyber threat intelligence I read had MITRE ATT&CK mapping,
[25:43.760 --> 25:49.720]  neither for EvoCorp as a threat actor or a group or WastedLocker as a ransomware.
[25:49.720 --> 25:54.460]  So I had to manually extract these TTPs from the cyber threat intelligence
[25:55.160 --> 25:59.300]  and then create a MITRE ATT&CK navigation layer.
[25:59.300 --> 26:00.100]  So I've done that.
[26:00.100 --> 26:03.840]  And here you can see a screenshot on the right of the impact portion.
[26:03.840 --> 26:06.620]  This is what the WastedLocker ransomware does.
[26:06.620 --> 26:12.500]  And there you can see that the JSON layer is available for you to take a look.
[26:12.500 --> 26:14.980]  So let's take a look at that one right now.
[26:14.980 --> 26:18.960]  Here is the MITRE ATT&CK layer that I created.
[26:19.000 --> 26:24.400]  A nice feature of ATT&CK Navigator is that you can give it a JSON file.
[26:24.400 --> 26:30.400]  So you see up here, this is hosted on GitHub and we give it the URL.
[26:30.400 --> 26:35.700]  This URL here is the site GitHub where I post community threats.
[26:35.700 --> 26:39.040]  And in this case, it has this layer, which it renders it here.
[26:39.040 --> 26:42.760]  So we can see the initial access was drive-by compromise.
[26:42.760 --> 26:46.320]  We can see execution through PowerShell and JavaScript.
[26:46.320 --> 26:49.920]  We can see user execution through a malicious file,
[26:49.920 --> 26:52.640]  service execution, as well as WMI.
[26:52.640 --> 26:56.380]  We can see some privilege escalation, defensivation.
[26:56.380 --> 26:59.180]  And then we have to scroll over to the right,
[26:59.180 --> 27:02.520]  thanks to all the sub techniques, to see other things such as discovery
[27:02.520 --> 27:07.200]  of local accounts and domain accounts, system owner and user discovery,
[27:07.200 --> 27:14.580]  lateral movements, command and control through HTTPS using asymmetric crypto
[27:14.580 --> 27:17.540]  and a web protocol over HTTPS.
[27:17.540 --> 27:20.280]  And then over on the right, we see the data destruction,
[27:20.280 --> 27:25.860]  data encryption, store data manipulation, and stopping that service.
[27:25.880 --> 27:29.600]  So I went through all that cyber threat intelligence and I pulled this out,
[27:29.600 --> 27:35.720]  which allows me to create a much better plan for what we are going to try to do
[27:35.720 --> 27:42.860]  here in this red team exercise that emulates EvilCorp and the WastedLocker malware.
[27:43.240 --> 27:47.140]  So planning is very important, right? We started with cyber threat intelligence,
[27:47.140 --> 27:50.200]  we learned about the Garmin hack, we learned about EvilCorp,
[27:50.200 --> 27:56.000]  we learned about the WastedLocker malware, and we mapped that automator attack.
[27:56.000 --> 28:00.120]  Now let's talk about planning. What are the goals and objectives here?
[28:00.120 --> 28:04.480]  In this case, we want to determine if an attack like Garmin
[28:04.480 --> 28:09.220]  would work in our target environment. We also want to decide,
[28:09.220 --> 28:13.200]  are we going to do this as a red team exercise or a purple team exercise?
[28:13.240 --> 28:18.220]  Given we are in the red team village, we'll do it as a red team exercise.
[28:18.220 --> 28:21.600]  I'm going to emulate all the steps and then later on,
[28:21.600 --> 28:25.120]  we'll see what the blue team was able to catch or prevent.
[28:25.880 --> 28:30.140]  It's very important to have an exercise coordinator and a project manager.
[28:30.140 --> 28:34.860]  That way, even though it is a zero-knowledge engagement,
[28:34.860 --> 28:44.040]  they communicate what is happening to the target organization, to the blue team trusted agents.
[28:44.040 --> 28:48.420]  Those are folks within the organization that know the exercise is happening,
[28:48.420 --> 28:52.520]  but are not going to tell the players that this is happening.
[28:52.520 --> 28:57.420]  Because if they know that this is an exercise, their behavior will change,
[28:57.420 --> 29:03.480]  which means your measurement of that particular testing will also change.
[29:03.760 --> 29:09.000]  Next, we want to do assume breach or a full end-to-end exercise.
[29:09.000 --> 29:14.740]  In this case, we know through cyber threat intelligence that the initial access was
[29:14.740 --> 29:18.760]  through a compromised third-party site. So that's not something you're going to
[29:18.760 --> 29:23.940]  be allowed to emulate. So let's go with an assume breach.
[29:23.940 --> 29:28.960]  Assume breach is a more efficient way of doing this, especially for mature organizations
[29:28.960 --> 29:34.320]  that know they're going to get breached. At any given time, there will most likely be some
[29:34.320 --> 29:38.840]  exploits, some vulnerability, or someone inside the target organization is going to click on
[29:38.840 --> 29:43.840]  something. So for this instance, we're going to go with the assume breach because we want to
[29:43.840 --> 29:50.920]  really get to a ransomware part. We want to focus on that and not focus on the initial access.
[29:50.920 --> 29:56.600]  As usual, there's going to be rules of engagement. So don't encrypt or actually
[29:56.600 --> 30:03.260]  ransom any business data, right? Create new files, encrypt those, and or exfiltrate them
[30:03.260 --> 30:08.300]  based on this threat actor. In this particular case, it didn't look like Evil Corp actually
[30:08.300 --> 30:14.060]  exfiltrated the data. So we're going to create a plan that does exactly that, that creates new
[30:14.060 --> 30:20.400]  files, a lot of new files, encrypts them, downloads a ransom note, and then that way we've emulated
[30:20.400 --> 30:27.780]  in a safe manner so that the target organization, one, approves this exercise, and two, we will be
[30:27.780 --> 30:33.280]  able to answer the question, can this happen to us without introducing risk? And then lastly,
[30:33.280 --> 30:41.940]  we have to talk about attack infrastructure. So for attack infrastructure, the red team needs
[30:41.940 --> 30:47.060]  to determine what tool they're going to use. Well, this actually was pretty easy because
[30:47.060 --> 30:53.780]  the Cyber Threat Intelligence told us that they use Cobalt Strike. So what we can do is use the
[30:53.780 --> 30:59.620]  C2 matrix, and it's a Google sheet of a number of different C2s, and it shares all the different
[30:59.620 --> 31:04.780]  capabilities that each of these have. So if we hadn't heard about Cobalt Strike, we can take a
[31:04.780 --> 31:11.720]  look at that particular one and learn about it here. You can find the ideal C2. Now for the
[31:11.720 --> 31:15.800]  malware creation part, we might have to use a different tool to create something
[31:15.800 --> 31:22.660]  that does the same thing that WastedLocker does, because Cobalt Strike doesn't have those
[31:22.660 --> 31:30.720]  particular features. The C2 matrix also has a Slingshot virtual machine, which allows you to
[31:30.720 --> 31:37.560]  get started and test eight of these C2s without having to install them. You just
[31:37.560 --> 31:43.480]  download the virtual machine and you can use them. And there's also a how-to site where you can learn
[31:43.480 --> 31:47.160]  how to use all of these. So I'll show that shortly.
[31:47.680 --> 31:54.020]  In this case, we know we need to use Cobalt Strike. So Cobalt Strike is a commercial command
[31:54.020 --> 31:59.680]  and control framework. It's available on cobaltstrike.com. And unfortunately, it was
[31:59.680 --> 32:06.520]  leaked. And that means that malicious actors have their hands on it. And it has a MITRE attack page
[32:06.520 --> 32:12.440]  as well. It's software 0154. And within there, you can see a number of different malicious actors
[32:12.440 --> 32:20.540]  that have used this. This here comes from MITRE ATT&CK, which they haven't added EvilCorp as a
[32:20.540 --> 32:26.320]  group, nor have they correlated EvilCorp as having used Cobalt Strike either. But I'll work with the
[32:26.320 --> 32:30.600]  MITRE team to get that added. And then on the right, there's a screenshot straight from Cobalt
[32:30.600 --> 32:36.680]  Strike's website as to all the various different features that this particular product has.
[32:36.680 --> 32:41.580]  So that is our initial access and getting to the point where we can deploy our malware.
[32:41.580 --> 32:47.360]  Now, for deploying our malware, we're going to use Scythe. And that's because Scythe specializes
[32:47.360 --> 32:56.640]  in creating custom controlled synthetic malware that will run in a production environment without
[32:56.640 --> 33:03.880]  introducing risk. It's also a tool that allows you to emulate known threat actors and automate
[33:04.240 --> 33:10.240]  a lot of those TTPs. Now, obviously, I work at Scythe and I have the cool hoodie, as you can see.
[33:10.940 --> 33:16.540]  We went with that one to show you how cool and how easy it is to create this particular malware.
[33:16.560 --> 33:21.920]  Also, I couldn't figure out how to create something like ransomware so easily with any of the other
[33:21.920 --> 33:27.560]  C2s. But if you have any C2s that you think do this, definitely let me know.
[33:28.000 --> 33:33.360]  So Scythe is also a command and control framework. It's a pretty easy installer. It installs on
[33:33.360 --> 33:38.540]  Windows. It allows multiple channels for command and control. In this case, we know we have to use
[33:38.540 --> 33:45.160]  HTTPS, which it has. And then it builds automation. So not only do we want to drop
[33:45.160 --> 33:50.580]  this synthetic malware that does what WastedLocker does, we want to automate that, right? It's going
[33:50.580 --> 33:55.120]  to create files. It's going to encrypt files. It's going to download a ransom note. All of that
[33:55.120 --> 34:01.940]  needs to be done all in one. So it really allows us to do that. And it has a variety of integrations
[34:01.940 --> 34:07.560]  with a number of different tools like Vector for tracking red and purple team, Exercises,
[34:07.560 --> 34:12.900]  PlexTrack if you use that in your corporation, and integration for purple teams with Splunk and
[34:12.900 --> 34:20.580]  really any SIEM. So it's really a great tool for doing this particular ransomware malware that we
[34:20.580 --> 34:26.320]  want to do. Is it even possible to emulate ransomware? Well, I've hinted at all of this
[34:26.320 --> 34:32.460]  as we get up to this slide. And the answer is, of course it is. The secret is to not encrypt or
[34:32.460 --> 34:38.240]  destroy real production data, right? You have that already in your plan and it will get approved
[34:38.240 --> 34:45.440]  because you're not impacting the target systems. You're not impacting production. So instead of
[34:46.380 --> 34:52.820]  encrypting real files, what we're going to do is first create new files and then encrypt them,
[34:52.820 --> 34:58.340]  exfiltrate them if this particular threat actor did, which Evil Corp did not, and then download
[34:58.640 --> 35:05.100]  a ransom note. So this method will ensure that no data is ever at risk of being encrypted or
[35:05.100 --> 35:10.780]  destroyed or leaked out. And over on the right, you can see the steps here. This is the malware
[35:10.780 --> 35:15.860]  that I've created with Scythe. It's going to load a number of different things into memory,
[35:15.860 --> 35:20.460]  which WastedLocker also did, was it loaded everything into memory so that it wouldn't get
[35:20.460 --> 35:26.400]  caught. Then we're going to create a directory on our desktop called Evil Corp. Within there,
[35:26.400 --> 35:32.480]  we're going to create 55 meg files. So we have a lot of volume there. And then we're going to
[35:32.480 --> 35:39.120]  encrypt that. And the password we chose in this case is Evil Corp in LeetSpeak. And then we're
[35:39.120 --> 35:44.980]  going to download a ransom note from a pastebin that I created that's very similar to the ransom
[35:44.980 --> 35:52.900]  note from WastedLocker. And we're going to put that in the desktop so that it shows. And then,
[35:52.900 --> 35:59.440]  of course, we're going to shut down and clean up after ourselves. So let's take a look. We're going
[35:59.440 --> 36:08.540]  to start with our SANS Slingshot C2 Matrix Edition virtual machine. It is running on a separate
[36:08.540 --> 36:15.300]  network with a Windows 10 victim system. Again, we're going to focus on the actual ransomware
[36:15.300 --> 36:22.040]  payload and not so much on the initial access and lateral movement. But because it did use
[36:22.040 --> 36:27.300]  Cobalt Strike, let's go ahead and start with that. In this case, I have Cobalt Strike installed
[36:27.300 --> 36:32.700]  in slash op slash Cobalt Strike. I'm going to start a team server. You have to start that with
[36:32.700 --> 36:42.000]  sudo. And I'm just going to put a basic password in there. My IP is 192.168.1.166. So we'll start
[36:42.000 --> 36:49.480]  that up. And then on another window, I will start the Cobalt Strike client. You don't need sudo for
[36:49.480 --> 36:59.980]  that. And here we will connect. So this is Cobalt Strike. The first thing we're going to do, like in
[36:59.980 --> 37:15.640]  any other command control framework, is set up a listener. I'm going to click add. And we're going
[37:15.640 --> 37:21.640]  to use port 8080 just because we have something else running. We have Apache running on port 80.
[37:24.060 --> 37:27.360]  Now that we have the listener, we are going to create an attack.
[37:27.360 --> 37:33.660]  As the threat intel told us, they use PowerShell for that. So we'll do exactly that.
[37:50.230 --> 37:55.350]  So what we're going to do is move over that payload to the system where we will execute it
[37:55.350 --> 38:17.900]  from. And we copy and paste that into a standard command prompt. And here we see it has checked in.
[38:19.120 --> 38:23.720]  Now that we have access on this target system, we can do the things that
[38:23.720 --> 38:30.460]  Evil Corp did, which was escalate privileges and move laterally, etc. In this case, we want to
[38:30.460 --> 38:37.760]  focus more on impact, which is on the ransomware. So let's go over and create the WastedLocker
[38:37.760 --> 38:44.060]  synthetic malware. So I'm over here in Cypher. I'm going to Threat Catalog. And I've already
[38:44.060 --> 38:51.640]  imported the WastedLocker campaign. So here we see that it will do everything that we discussed,
[38:51.640 --> 38:57.540]  which was load, run, file, correct downloader. It will create a directory in Evil Corp,
[38:57.540 --> 39:05.960]  an Evil Corp directory on the desktop. It will create five files all with that wasted extension.
[39:05.960 --> 39:11.040]  Then it will encrypt them. Then it will download a message. And then it'll shut down.
[39:19.780 --> 39:25.620]  Now we will download that 32-bit executable onto our Linux system,
[39:25.620 --> 39:29.520]  so that we then use Cobalt Strike to upload it and execute it.
[39:38.940 --> 39:44.520]  Now we will upload the file into this cusers.george directory.
[39:51.300 --> 40:03.170]  And now we will execute it. You should see that execution now here.
[40:05.530 --> 40:10.510]  And there's the check-in. It's going to go through and load all these modules.
[40:10.510 --> 40:19.130]  If we observe the directory here on the victim system, we will see it create the folder Evil
[40:19.130 --> 40:28.110]  Corp, create the files, encrypt those files, and then download a ransom note from PasteBit.
[40:29.930 --> 40:39.150]  There's the Evil Corp folder. It will now create all these files and then encrypt them,
[40:39.150 --> 40:53.010]  and then download the ransom note. And here we see the ransom note was downloaded.
[40:54.330 --> 40:59.950]  And there is the ransom note, very similar to what was used in Garmin.
[40:59.950 --> 41:06.690]  So as you can see, we use Cobalt Strike to get that initial access with a PowerShell script,
[41:06.690 --> 41:12.970]  and then use Cobalt Strike to dump this executable, which is synthetic malware
[41:12.970 --> 41:22.530]  created with Scythe, to emulate a ransomware attack inside a professional enterprise network
[41:22.530 --> 41:29.430]  without introducing any risk. How do we defend against ransomware? Well, before,
[41:29.430 --> 41:34.670]  we just had to worry about that initial access on preventive controls, because ransomware
[41:34.670 --> 41:40.130]  would find its way into any system and then encrypt it, even with user-level privileges.
[41:40.130 --> 41:45.670]  But now we're seeing these more sophisticated attacks, like Evil Corp on Garmin, where
[41:45.670 --> 41:51.390]  it's getting access, the threat actor gets access to a system, does privilege escalation,
[41:51.390 --> 41:58.230]  moves laterally, does defensivation, executes a number of different ways, and then drops their
[41:58.230 --> 42:04.030]  encryption. So there's a number of different ways to defend against this, very similar to your other
[42:04.670 --> 42:10.170]  adversary emulations that didn't have the ransomware type impact. We're now seeing those
[42:10.170 --> 42:17.450]  there. So there's a number of different ways to defend against this. I did an excellent interview
[42:17.450 --> 42:25.370]  with Olaf from FalconForce on using things like Sysmon. Because we are calling all those encryption
[42:26.270 --> 42:31.150]  APIs, you should be able to detect that, especially if a whole bunch of systems do it.
[42:31.150 --> 42:36.750]  Now, US CERT just recently released these tips, and there's a number of other resources here.
[42:37.130 --> 42:43.310]  I do want to point out another organization that was recently breached called CWT. They are
[42:43.310 --> 42:51.810]  an enterprise, a corporate travel organization, and their chats with the malicious actor were
[42:51.810 --> 42:58.810]  leaked. In this case, they actually paid four million dollars to get access to their files,
[42:58.810 --> 43:02.970]  and the chat was leaked. The link is there for the entire thread if you want to read it,
[43:02.970 --> 43:09.930]  but here you can see quite a bit of advice that was given to the target organization after the
[43:09.930 --> 43:17.430]  malicious work was done and they got paid. They gave them some advice as to what to do,
[43:17.430 --> 43:23.270]  which is very similar advice to a lot of the things that we find in our adversary emulations.
[43:24.050 --> 43:31.410]  So obviously there's a lot more ransomware than just WastedLocker. These are just a few with
[43:31.410 --> 43:37.030]  their links to MITRE ATT&CK, as well as an interesting service I saw called Shadow Intelligence,
[43:37.030 --> 43:41.630]  which tells you about a number of different ransomware attacks. So definitely check them out.
[43:42.570 --> 43:48.930]  Now if this interests you, we have a Threat Thursday. So every Thursday we choose an adversary,
[43:48.930 --> 43:54.590]  we introduce the adversary, we consume Cyber Threat Intelligence, map it to MITRE ATT&CK,
[43:54.590 --> 43:59.810]  create that navigator layer just like we did here, then we create an adversary emulation plan,
[43:59.810 --> 44:06.650]  we share that plan in our community GitHub, we emulate the adversary and show it on a video,
[44:06.650 --> 44:11.850]  and we talk about how to defend against this. So this is all free for the community. A lot of it is
[44:11.850 --> 44:16.790]  with Scythe, but a lot of the living off the land you'll be able to do without using Scythe.
[44:19.210 --> 44:23.910]  Another thing I wanted to mention is to save the date. I know you all like free conferences,
[44:23.910 --> 44:30.190]  so we are hosting a free conference called UNICON, our very own unicorn conference. Yes,
[44:30.190 --> 44:35.710]  I work at Scythe, where we have unicorns. And that is going to be on August 20th. We're doing
[44:35.710 --> 44:44.290]  some very cool stuff and creating an ecosystem for the community. So we have an SDK that allows
[44:44.290 --> 44:52.450]  you to create your own adversary TTPs. Think of it of creating a bug bounty, but for TTPs,
[44:52.450 --> 44:58.570]  for Adversary Behaviors. You can create these modules and put them up in this marketplace,
[44:58.570 --> 45:04.570]  where you can share them for free or sell them and make some money off of them. So all of that
[45:04.570 --> 45:10.270]  is possible through our marketplace, and we will be releasing that at UNICON. The way it works is
[45:10.270 --> 45:17.810]  that you use the SDK, which is completely free. You create a TTP, you add it into the marketplace,
[45:17.810 --> 45:23.670]  and then any Scythe user will be able to grab it or pay you for it, and then run these adversary
[45:23.670 --> 45:30.550]  emulations in their environment and hopefully detect the different behaviors that you've created.
[45:30.550 --> 45:36.050]  If not, they'll be able to test and hopefully improve it. So it's an ecosystem of sharing
[45:36.050 --> 45:42.230]  offensive techniques so that organizations can better defend themselves.
[45:43.250 --> 45:48.470]  I went through a number of different references, so here is the slide. Obviously, I didn't do all
[45:48.470 --> 45:53.170]  of this on my own. Big shout out to the folks that did the Cyber Threat Intelligence for Eagle Bull
[45:53.170 --> 45:59.070]  Corp and Wasted Locker. I did the MITRE Attack Mapping, and as I mentioned, all of that is shared
[45:59.070 --> 46:06.190]  for you, and hopefully you found all of this useful. So with that, thank you very much for
[46:06.190 --> 46:10.970]  your time. I really appreciate it. Hopefully you learned something here today, and I'll see you
